Threat analysis

6.5

Threat analysis

With the help of a phosphor decay curve like the one shown in Fig. 6.5, we can now estimate the signal strength that an eavesdropper can receive and what upper bound for the reception distance shot-noise imposes. For definitions of the radiometric and photometric quantities and SI units used here, see [128, 109].2

For the following order-of-magnitude estimates, we assume in the interest of simplicity that the screen, wall, and sensor surfaces involved are roughly parallel to each other and that the photons of interest travel perpendicular to these, otherwise the cosine of the relevant angles would have to be multiplied in as well. We also assume that the quantum efficiency of the photosensor – the probability that a photon passing through the aperture is registered – equals 1. Smaller values of real sensors can be taken into account by adjusting the sensor aperture Ar.

6.5.1

Direct observation

We first consider the case without diffuse reflection from a wall, where the eavesdropper can see the screen surface directly. This might allow projective observation with a tele- scope, but the result might not be satisfactory in situations with minor distortions such as aperture diffraction, atmospheric fluctuations or even a frosted glass window. Time- domain analysis of the received light could be of interest even where a line of sight is available.

Let tp = fp−1 be the duration for which the electron beam illuminates a single pixel. The

video voltage due to one pixel (full intensity: V = 1 V) will be

vγ(t) = V if 0 < t ≤ t_{0 otherwise} p (6.13)

and the resulting radiant intensity according to (6.3) is Ip(t) = V ·

Z t

t−tp

P (t′) dt′. (6.14)

At distance d with receiver aperture area Ar, neglecting transmission delays and the

directional characteristic of the emitter, the power received from the pixel is Pp(t) =

Ar

d2 · Ip(t). (6.15)

We approximate the detection process performed in the receiver by simply integrating the received pixel power over the pixel duration. The resulting energy collected per pixel is

Qp = n ·

Z tp

0

Pp(t) dt (6.16)

2_{In a nutshell: Luminous flux is measured in lumen (lm), which is the photometric equivalent of}

radiation power, weighted by the spectral sensitivity of the human eye, where 683 lm are per definition as bright as 1 W of (green) 540 THz light. In order-of-magnitude calculations, I will simply approximate 103_{lm as 1 W. The steradian (sr) measures a solid angle (4π for the full sphere), candela (cd) is the same}

as lumen per steradian and measures the luminous intensity of a light source in a given direction, and lux (lx) is the same as lumen per square meter and measures the illuminance of a location. Commonly encountered illuminance levels cover ten orders of magnitude, from 105_{lx for “direct sunlight” to 10−4 lx}

where n is the number of frame repetitions accumulated by periodic averaging. This is only a small fraction of the overall energy received from the pixel during its decay, but it approximates the amount of energy that can be separated from the contributions of neighbor pixels by high-pass filtering. At wavelength λ this energy corresponds to

Np =

Qpλ

hc (6.17)

photons per pixel (hc = 1.986 × 10−25 _Jm).

We also have to consider background light as a noise source, both from other pixels of the observed CRT as well as any surrounding surfaces. The photon count per pixel duration from the background light can be estimated as

Nb =

ntpAArLbλ

hcd2 , (6.18)

where Lb is the average radiance and A is the area of the observed background surface.

The arrival of photons at a detector aperture is a Poisson process [118]. This means that when a random variable N describes the number of photons received per pixel and we expect E[N] photons on average then the standard deviation pE[(N − E[N])2_{] will}

be _{pE[N]. This inevitable variability of the photon count is known as shot noise. As} Nb ≫ Np, the background light determines the amount of shot noise against which the

status of a single pixel has to be detected. This roughly becomes feasible when the signal-to-noise ratio is greater then one, that is

Np >pNb (6.19) or with P (t) ≈ P (0) for 0 ≤ t ≤ tp nt2 pArV P (0)λ 2hcd2 > r ntpAArLbλ hcd2 . (6.20) and therefore Ar d2 > 4AhcLb nλV2_t3 pP2(0) . (6.21)

We can now fill this condition with some example parameters. Assuming a background luminance of 100 cd/m2_{, as it is typical for a CRT and other bright surfaces in a well-}

lit office environment [109, 110], the corresponding background radiance will be in the order of not more than Lb = 0.1 W/(sr · m2), from which we mask off an observed area

of A = 0.2 m2_{. Together with other typical parameters such as t}

p = 20 ns, P (0) =

103 _{W/(V · s · sr), V = 1 V, λ = 500 nm, and by averaging n = 100 frames, we get}

Ar

d2 > 4 × 10

−5 _{sr. (6.22)}

For example, a simple telescope with Ar = 0.3 m2 could therefore theoretically receive a

122 6.5. THREAT ANALYSIS

6.5.2

Indirect observation

We now consider an indirect observation in a dark environment, where the not directly visible CRT screen faces at distance d′ _{a diffusely reflecting observable wall, which has a}

reflection factor 0 < ̺ < 1. The radiant intensity (power per solid angle) Ip(t) from a

pixel will lead to an irradiance (incoming power per area) Ep(t) =

Ip(t)

d′2 (6.23)

onto the wall and to a radiant exitance (outgoing power per area) of

Mp(t) = ̺Ep(t). (6.24)

For a uniformly diffusing (“Lambertian”) surface, we have to divide the radiant exitance by π [109] to obtain the corresponding radiance (power per solid angle per area)

Lp(t) =

1

πMp(t) (6.25)

which leads us finally to the power

Pp(t) =

AAr

d2 · Lp(t) (6.26)

passing through the receiver aperture Ar, which is located at distance d from the observed

wall area A. Using the same P (t) ≈ P (0) for 0 ≤ t ≤ tp approximation as before, we can

estimate the number

Np =

̺nt2

pAArV P (0)λ

2πhcd2_d′2 (6.27)

of photons received from a single pixel and compare it to the number Nb=

ntpAAr̺Ebλ

πhcd2 (6.28)

of photons received from the background light, assuming the wall is exposed to an irradi- ance Eb. The signal to shot-noise ratio will again be of order unity under the condition

Np >√Nb, which leads to a receivability condition

Ar d2 > 4πEbhcd′4 ̺nλt3 pAV2P2(0) . (6.29)

Let’s again look at an example scenario. Assuming the observed monitor has a luminous intensity of 100 cd/m2 _{× 240 mm × 320 mm = 8 cd, a wall at a distance d}′ _{= 2 m would}

be exposed to an illuminance of in the order of 2 lx from the overall light given off by the monitor alone, which corresponds to the illuminance during “late twilight” [109] and is equivalent to an irradiance of in the order of Eb = 1 mW/m2. Using this with the same

example parameters as before, as well as A = 2 m2 _{and ̺ = 0.5, we get}

Ar

d2 > 1 × 10

−4 _{sr (6.30)}

for this indirect observation under late twilight conditions. The Ar = 0.3 m2 mirror

used as an example before could therefore receive a signal under these conditions up to 50 m away. This distance is proportional to 1/√Eb, so, for example, under full daylight

6.5.3

Observation of LEDs

It is worth noting that the very high pixel frequencies used by CRTs play a significant rˆole in limiting the reception range. Optical displays with lower update frequencies could pose an eavesdropping risk, even if they do not offer the redundancy of a repetitive video signal. A practical example are devices with slow serial ports (104_–105 _{bit/s), such}

as some modems, that feature light-emitting diode (LED) displays to indicate the logic level of data lines. Unless the displayed signal is distorted, for example, by a monostable multivibrator circuit that enforces a minimum LED-on period of at least a character time, an optical eavesdropper could manage to reconstruct transmitted data by monitoring the LED luminosity at a distance. A recent study found that of 39 tested communication devices, 14 emitted serial port-data in light from transmit/receive line status LEDs [119]. Another example would be software-controllable status LEDs, such as those connected to the keyboard and hard-disk controller of every PC. Malicious software could use these to covertly broadcast information in situations where this cannot be accomplished via normal network connections (e.g., due to “air gap” security or a mandatory access-control operating system).

Normal LEDs have a luminous intensity of 1–10 mcd, although super-bright variants with up to 100 mcd or more are available as well.

We can again estimate the expected number of photons Npreceived from a single bit pulse

of the LED, as well as the expected number Nb from the background illumination. For

a sufficiently large Nb, we can approximate the distribution of the number N of photons

received as a normal distribution P  N − µ σ < x  ≈ √1 2π Z x −∞ e−y22 dy (6.31)

with the mean value

µ = Nb+ Np when LED on

Nb when LED off (6.32)

and the standard deviation

σ =pNb. (6.33)

Assuming that transmitted bits 0 and 1 are equally likely, a matched filter detector [120] will count the photons N received per bit interval and compare the resulting number with the threshold Nb+1₂Np to decide whether the LED was on or not. The probability for a

bit error due to shot noise will therefore be pBER = Q  Np 2√Nb  (6.34) where Q(x) = _√1 2π Z ∞ x e−y22 dy = 1 2 − 1 2erf  x √ 2  ≈ e− x2 2 x√2π if x > 3 (6.35) is the Gaussian error integral [120].

As a practical example, we consider a direct line of sight to a green (λ = 565 nm) LED with a luminous intensity of 7 mcd, which corresponds to a radiant intensity of roughly

124 6.6. RECEIVER DESIGN CONSIDERATIONS

In document UCAM-CL-TR-577 Compromising emanations: eavesdropping risks of computer displays (Page 120-124)